On Fri, Nov 26, 2010 at 21:44, Noah Slater <nsla...@apache.org> wrote: > But assuming we got this working, we face the problem of not being able to > apply our own patches. Also, the software it downloads might have some bug in > it that was introduced a week, day, or hour before the release was made. How > would we defend ourselves against this?
You pull a specific version tarball and check it against a checksum? Cheers, Dirkjan